Post on 15-Jan-2015
description
BARRY CAPL
IN
HOW D
O YOU S
PELL
CIS
O?
WED. M
AY 1
4, 2014, 1
1A
Like what you hear? Tweet it using: #Sec360
How Do You Spell CISO?Secure360
Wed. May 14, 2014
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry CaplinChief Information Security
OfficialFairview Health Services
http://about.me/barrycaplin
securityandcoffee.blogspot.com
@bcaplin
Fairview Overview
• Not-for-profit established in 1906
• Academic Health System since 1997 partnership with University of Minnesota
• >22K employees
• >3,300 aligned physicians
Employed, faculty, independent
• 7 hospitals/medical centers (>2,500 staffed beds)
• 40-plus primary care clinics
• 55-plus specialty clinics
• 47 senior housing locations
• 30-plus retail pharmacies
4
2012 data
•5.7 million outpatient encounters
•74,649 inpatient admissions
•$2.8 billion total assets
•$3.2 billion total revenue
Who is Fairview?
A partnership of North Memorial and Fairview
Did you ever think Did you ever think about…about…
ChallengesChallenges• Keep it simple
• Keep it High Level
• Don’t let ‘em pull you in to the weeds
Game Time!Game Time!
First QuarterFirst Quarter
• Learn the Business
• Culture of Security
• Baseline the Organization
Learn the BusinessLearn the BusinessBusiness/Ops lead – not Security or IT
•Do you know? Industry Niche Mission/Vision Why/What/How The Organization
Learn the BusinessLearn the Business
• Ask Questions
• Org Charts
• Get Out of the Building!
• 1:1’s; Divisional meetings;
Leaders; C-suite
Learn the BusinessLearn the Business
• Agenda Introduction learn about the business area, what works and what doesn't, partnership opportunities, what can I do for you?
• Establish your office; Create Champions
A Culture of SecurityA Culture of Security
A journey of a thousand miles begins with a single step.
- Lao-tzu, The Way of Lao-tzuChinese philosopher (604 BC - 531 BC)
You gotta start somewhere.- Me
A Culture of SecurityA Culture of Security
• Is there existing training?
• Train for Compliance
• Awareness to reinforce
• Create Evangelists
A Culture of SecurityA Culture of Security
• Be Relevant
• Connect to the Business
• Seek out and Destroy controls that add no value
Baseline the Baseline the OrganizationOrganization
Helps you:•Know where things stand
•Show progress
Baseline the Baseline the OrganizationOrganizationMethods:•Compare against known standard
•Maturity Model
CObIT Security Baseline
CObIT Maturity Assessment Tool
Gartner IT Score
Homegrown
In your spare time…In your spare time…
• Low hanging fruit
• Other duties as assigned
Second QuarterSecond Quarter
• Strategic Planning
• Tactical Planning
• Roadmap
Security is not a Project….
It’s a Lifestyle!
20
Strategic PlanningStrategic Planning
Strategic PlanningStrategic Planning• High-level
• Outcomes
• Framework NIST CObIT HITRUST ISO27001
Strategic PlanningStrategic Planning
• Business info +
• Baseline analysis +
• Risk Assessment + Threat Assessment Assets; Actors; Actions
• Vision = Time Travel
Threat Threat Modeling/AssessmentModeling/Assessment
• Elevation of Privilege http://www.microsoft.com/security/sdl/adopt/eop.aspx
• Cntl-Alt-Hack http://www.controlalthack.com/
• UW Security Cards http://securitycards.cs.washington.edu/
Tactical PlanningTactical Planning
• Tactics are “How?” Support each strategy More granular Shorter timeframe (1-3 yrs.)
Strategy/Tactics
RoadmapRoadmap
Third Quarter…Third Quarter…
• Execute!
• Metrics/KPIs/KRIs
• Communicating Risk
• BoD Reports
……And BeyondAnd Beyond
The “game” never ends.
•Iterative processes
•Support the “bridges”
•Living documents
•Review and refine